In its second-quarter 2025 analysis, Cloudflare has highlighted a troubling trend in the landscape of distributed denial-of-service (DDoS) attacks. A large portion of these cyber threats—particularly those where the attacker could be identified—appear to stem from competitive motives within high-stakes digital industries.

Competitive Sabotage at the Forefront

Among surveyed customers who managed to trace the origins of attacks, nearly two-thirds indicated that rival companies were responsible. Sectors such as cryptocurrency, online gambling, and gaming were especially prone to this form of digital aggression. Additionally, around a fifth of identified assaults were attributed to actions initiated or supported by nation-states. A smaller but notable share of incidents were found to be accidental, often the result of misconfigured servers that triggered self-inflicted disruptions.

While the majority of respondents remained unaware of the exact source behind the attacks, the subset who did provide attribution painted a clear picture of industry-driven cyberwarfare. Incidents also included extortion-driven assaults and retaliation from unhappy users.

Geographic Patterns of Targeted Attacks

Surprisingly, the most frequently targeted country was not the United States, but China, which rose to the top spot from third place in the previous quarter. Brazil surged as well, moving up four positions to rank second, while nations such as Turkey and Hong Kong saw drops in their rankings. Vietnam made a notable leap, climbing 15 places into the top ten.

Top 10 Countries Targeted by DDoS Attacks (Q2 2025):

1. China

2. Brazil

3. Germany

4. India

5. South Korea

6. Turkey

7. Hong Kong

8. Vietnam

9. Russia

10. Azerbaijan

Industries Facing the Highest Attack Volumes

The telecommunications sector bore the brunt of these attacks, followed by providers of general internet infrastructure and IT services. The gaming and gambling sectors continued to be frequent targets, alongside finance and retail industries.

Most Targeted Sectors:

• Telecommunications

• Internet infrastructure

• IT services

• Online gaming

• Gambling and casinos

• Banking and financial services

• Retail

• Agriculture

• Software development

• Government institutions

Tracing the Origins: Countries and Networks

Cloudflare’s data suggests that a significant number of DDoS attacks originate from specific geographic regions, though these “origins” typically indicate where the infrastructure used in the attack—such as botnets, VPNs, or proxies—is located, not necessarily the attacker’s actual location.

Ukraine was named the fifth most common source of DDoS traffic, though the report did not differentiate between regions within the country. Some security analysts argue that many bots originate from territories currently under Russian control. Meanwhile, countries like the Netherlands, despite being in the top ten, may be overrepresented due to strong data privacy protections that make them appealing for botnet operators using VPNs.

Top 10 DDoS Source Countries (Based on Infrastructure):

1. Indonesia

2. Singapore

3. Hong Kong

4. Argentina

5. Ukraine

6. Russia

7. Ecuador

8. Vietnam

9. Netherlands

10. Thailand

Autonomous System Networks Behind the Attacks

Beyond countries, Cloudflare also tracked the networks—identified by Autonomous System Numbers (ASNs)—most frequently associated with malicious traffic. Several well-known infrastructure providers made the list, including Google Cloud, Microsoft, OVH, and Tencent.

A significant shake-up occurred in the rankings. Drei-K-Tech-GmbH emerged as the top network origin for DDoS traffic, surpassing DigitalOcean and knocking Hetzner from first to third place.

Leading ASN Sources of DDoS Attacks:

1. Drei-K-Tech-GmbH

2. DigitalOcean

3. Hetzner

4. Microsoft

5. Viettel

6. Tencent

7. OVH

8. Chinanet

9. Google Cloud Platform

10. Alibaba

Collaborative Defense Measures Needed

To address the increasing threat landscape, Cloudflare continues to offer its DDoS Botnet Threat Feed—free of charge—to cloud service providers, hosting companies, and ISPs. This initiative is aimed at helping providers shut down botnet nodes and identify compromised accounts. With over 600 organizations already participating in the program, collaborative efforts are beginning to show promise in reducing the prevalence of malicious traffic across the web.

Cloudflare emphasizes that greater cooperation among infrastructure providers could be a crucial step toward diminishing the frequency and intensity of DDoS campaigns worldwide.